franceconnect: ensure id and secret input are 64-character long (#54852)

2021-06-14 17:33:05 +02:00 · 2021-06-14 17:33:05 +02:00 · 77e9e2c539
parent afb89ff9a8
commit 77e9e2c539
2 changed files with 55 additions and 0 deletions
--- a/hobo/franceconnect/forms.py
+++ b/hobo/franceconnect/forms.py
@ -15,6 +15,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

 from django import forms
+from django.core.exceptions import ValidationError
 from django.utils.translation import ugettext_lazy as _


@ -56,6 +57,39 @@ class SettingsForm(forms.Form):
        help_text=_('These scopes will be requested in addition to openid'),
    )

+    def clean(self):
+        cleaned_data = super().clean()
+        cleaned_data['client_id'] = cleaned_data['client_id'].strip()
+        cleaned_data['client_secret'] = cleaned_data['client_secret'].strip()
+        errors = []
+
+        if len(cleaned_data['client_id']) != 64:
+            errors.append(
+                ValidationError(
+                    _('Client identifier must be a 64-character-long string.'), code='client_id_64'
+                )
+            )
+        if len(cleaned_data['client_secret']) != 64:
+            errors.append(
+                ValidationError(
+                    _('Client secret must be a 64-character-long string.'), code='client_secret_64'
+                )
+            )
+
+        try:
+            int(cleaned_data['client_id'], 16)
+        except ValueError:
+            errors.append(ValidationError(_('Client identifier must be hexadecimal.'), code='client_id_hexa'))
+        try:
+            int(cleaned_data['client_secret'], 16)
+        except ValueError:
+            errors.append(ValidationError(_('Client secret must be hexadecimal.'), code='client_secret_hexa'))
+
+        if errors:
+            raise ValidationError(errors)
+
+        return cleaned_data
+

 class EnableForm(forms.Form):
    pass
--- a/tests/test_franceconnect.py
+++ b/tests/test_franceconnect.py
@ -41,9 +41,30 @@ def test_franceconnect(app, admin_user):
    assert Variable.objects.filter(name__startswith='SETTING_A2_FC').count() == 1
    assert Variable.objects.filter(name__startswith='SETTING_A2_FC_ENABLE', value='true').count() == 1

+    # id and secret too short
    response.form.set('platform', 'prod')
    response.form.set('client_id', 'xyz')
    response.form.set('client_secret', '1234')
+    response = response.form.submit()
+    assert "Client identifier must be a 64-character-long string." in response.text
+    assert "Client secret must be a 64-character-long string." in response.text
+
+    # id and secret too long
+    response.form.set('client_id', 'wxyz' * 30)
+    response.form.set('client_secret', '1234' * 30)
+    response = response.form.submit()
+    assert "Client identifier must be a 64-character-long string." in response.text
+    assert "Client secret must be a 64-character-long string." in response.text
+
+    # id and secret not hexadecimal
+    response.form.set('client_id', 'wxyz' * 16)
+    response.form.set('client_secret', '123z' * 16)
+    response = response.form.submit()
+    assert "Client identifier must be hexadecimal." in response.text
+    assert "Client secret must be hexadecimal." in response.text
+
+    response.form.set('client_id', '01ab' * 16)
+    response.form.set('client_secret', '23cd' * 16)
    response = response.form.submit().follow()

    assert Variable.objects.filter(name__startswith='SETTING_A2_FC').count() == 10